The Federal Financial Institutions Examination Council (FFIEC) has established its priorities for the remainder of 2015 as a result of the recent FFIEC cybersecurity assessment pilot program. The pilot program looked at many facets of information security strategy at financial institutions, ranging from the role that vendors play in cyber threat management to internal incident response procedures and board involvement in cyber matters. The preliminary results of the pilot program, having evaluated more than 500 financial institutions, contained high-level observations intended to provide financial institutions with risk management discussion points to consider.
Key Recommendations from the FFIEC Cybersecurity Assessment Pilot Program
Consider the inherent risk posture of the financial institution by understanding the number and nature of connection points to public networks
Perform cyber risk assessments at the product level to determine what could go wrong. For example, attackers often will compromise customer PC’s, leading to stolen online banking credentials and potential ACH fraud.
Ensure that senior management and boards of directors are engaged, informed and involved on matters of cybersecurity risks.
Ensure that proper personnel in the financial institution have the appropriate resources and knowledge to gather information and become aware of cybersecurity risks.
Consider external vendors and business partners and evaluate the level of exposure they bring.
Routinely test the financial institution’s ability to detect, respond and correct a cybersecurity event.
The FFIEC’s priorities for the remainder of 2015 will vigorously focus on enhancing the cybersecurity posture of financial institutions, recognizing the heightened threat landscape. A key priority from the FFIEC is the introduction of a “Cybersecurity Self-Assessment Tool,” and other detailed guidance that will help financial institutions understand what they need to do to protect themselves from cyber threats.
FFIEC Guidance Relating to Cybersecurity Will be Applied to:
Technology Service Provider Strategy
Collaboration with Law Enforcement and Intelligence Agencies
While the tools and guidance are being developed, it is important that executives and boards remain apprised of cybersecurity issues and that they are involving key personnel internally and externally in developing risk assessments and control strategies to mitigate cybersecurity threats. Until the more detailed guidelines are available, financial institutions need to apply leading practices such as National Institute of Standards and Technology’s (NIST), Framework for Improving Critical Infrastructure Cybersecurity or the Securities Industry and Financial Markets Association’s (SIFMA) Small Firms Cybersecurity Guidance to promote effective risk mitigation and control strategies. In addition, it is equally important for financial institutions to keep a finger on the pulse of cyber threats and newly evolving risks by subscribing to threat monitoring sources such as the United States Computer Emergency Response Team (US-CERT) and the Financial Services Information Sharing and Analysis Center (FS-ISAC). These and other resources encourage collaboration and knowledge-sharing among financial institutions, since cyber criminals tend to be repetitive in their methods of attempting to breach security controls of financial institutions; therefore, collaboration is invaluable in order to mitigate these persistent cyber threats.
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.